{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33889", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:10:05.682Z", "datePublished": "2026-04-15T19:29:50.899Z", "dateUpdated": "2026-04-15T19:29:50.899Z"}, "containers": {"cna": {"title": "ApostropheCMS: Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-97v6-998m-fp4g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-97v6-998m-fp4g"}, {"name": "https://github.com/apostrophecms/apostrophe/commit/6a89bdb7acdb2e1e9bf1429961a6ba7f99410481", "tags": ["x_refsource_MISC"], "url": "https://github.com/apostrophecms/apostrophe/commit/6a89bdb7acdb2e1e9bf1429961a6ba7f99410481"}], "affected": [{"vendor": "apostrophecms", "product": "apostrophe", "versions": [{"version": "< 4.29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T19:29:50.899Z"}, "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without stripping HTML metacharacters. These unsanitized values are then concatenated directly into <style> tags both in per-widget style elements rendered for all visitors and in the global stylesheet rendered for editors, with the output marked as safe HTML. An editor can inject a value which closes the style tag and executes arbitrary JavaScript in the browser of every visitor to any page containing the affected widget. This enables mass session hijacking, cookie theft, and privilege escalation to administrative control if an admin views draft content. This issue has been fixed in version 4.29.0."}], "source": {"advisory": "GHSA-97v6-998m-fp4g", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without stripping HTML metacharacters. These unsanitized values are then concatenated directly into <style> tags both in per-widget style elements rendered for all visitors and in the global stylesheet rendered for editors, with the output marked as safe HTML. An editor can inject a value which closes the style tag and executes arbitrary JavaScript in the browser of every visitor to any page containing the affected widget. This enables mass session hijacking, cookie theft, and privilege escalation to administrative control if an admin views draft content. This issue has been fixed in version 4.29.0."}], "id": "CVE-2026-33889", "lastModified": "2026-04-15T20:16:35.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T20:16:35.850", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/apostrophecms/apostrophe/commit/6a89bdb7acdb2e1e9bf1429961a6ba7f99410481"}, {"source": "security-advisories@github.com", "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-97v6-998m-fp4g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T21:53:53.456478+00:00", "value": {"mitigation_remediation": ["Upgrade ApostropheCMS to version 4.29.0 or later, where the issue is fixed.", "If an upgrade is not immediately possible, block or sanitize custom CSS property input to strip or encode HTML characters before storing the value.", "Restrict editor access by assigning stricter role permissions or temporarily disabling widget editing for untrusted users.", "Implement server\u2011side validation of color fields to reject values beginning with '--' and enforce proper escaping before rendering into style tags.", "Monitor logs for signs of anomalous JavaScript execution or session hijacking events."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects ApostropheCMS version 4.28.0 and all earlier releases. The affected product is the open-source Node.js content management system developed by apostrophecms.", "description_and_impact": "ApostropheCMS allows editors to enter color values that are incorporated directly into <style> tags without proper escaping. The @apostrophecms/color\u2011field module incorrectly accepts values prefixed with '--', bypassing TinyColor validation, and the subsequent laundering process only coerces types, leaving HTML metacharacters intact. When these unsanitized values are concatenated into style elements marked as safe HTML, an attacker can close the style tag and inject JavaScript. This flaw is a typical stored XSS (CWE\u201179) that can lead to session hijacking, cookie theft, and, if an administrator views the compromised widget, privilege escalation to full administrative access.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, and the EPSS score is not provided, implying no data on current exploitation likelihood. The flaw is listed outside the CISA KEV catalog. Exploitation requires access to the CMS editor interface, meaning that a user with content\u2011editing rights can inject malicious values. Once injected, every visitor to pages containing the affected widget will execute the embedded script, potentially compromising all users\u2019 sessions and escalating to administrative privileges if the admin views the draft content."}}}}, "created": "2026-04-15T22:00:06.618405+00:00", "updated": "2026-04-15T22:00:06.618415+00:00", "vendors": []}